TLDR summary: run "c_rehash" as root to fix this issue. I just ran into this issue (symptoms: "wget https://ev- root.digicert.com/", "openssl c_client ev-root.digicert.com" would fail) .
The problem is that the symbolic links that are supposed to exist in /etc/ssl/certs aren't there. Running "c_rehash" command recreates the links . Reinstallling ca-certificates does not fix this issue, because /usr/sbin/update-ca-certificates only runs c_rehash when /etc/ssl/certs /ca-certificates.crt is out of date (ie. when you added or removed some certificates). I don't know why an Ubuntu 12.04 LTS system would be in this state, perhaps it only happens on systems that were upgraded from earlier Ubuntu installs, and for some reason c_rehash never got run. $ wget https://ev-root.digicert.com/ --2013-06-07 19:55:03-- https://ev-root.digicert.com/ Resolving ev-root.digicert.com (ev-root.digicert.com)... 64.58.225.123 Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... connected. ERROR: cannot verify ev-root.digicert.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority. To connect to ev-root.digicert.com insecurely, use `--no-check-certificate'. $ strace wget https://ev-root.digicert.com/ write(2, "Connecting to ev-root.digicert.c"..., 80Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... ) = 80 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3 connect(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("64.58.225.123")}, 16) = 0 ..... stat("/usr/lib/ssl/certs/244b5494.0", 0x7fff22ff0b60) = -1 ENOENT (No such file or directory) $ c_rehash .... $ ls -l /usr/lib/ssl/certs/244b5494.0 lrwxrwxrwx 1 root root 38 Jun 7 20:20 /usr/lib/ssl/certs/244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem $ wget https://ev-root.digicert.com/ --2013-06-07 20:20:10-- https://ev-root.digicert.com/ Resolving ev-root.digicert.com (ev-root.digicert.com)... 64.58.225.123 Connecting to ev-root.digicert.com (ev-root.digicert.com)|64.58.225.123|:443... connected. HTTP request sent, awaiting response... 200 OK -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1014640 Title: 12.04/openssl refusing some verisign certified sites To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1014640/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
